(define-module (gnu services openssh)
  #:use-module (gnu)
  #:use-module (gnu services shepherd)
  #:use-module (gnu packages ssh)
  #:use-module (guix)
  #:export (openssh-service-type))

(define (ssh-shepherd-service config-file)
  (list (shepherd-service
         (provision '(ssh-daemon))
         (requirement '(networking))
         (start #~(make-forkexec-constructor
                   (list (string-append #$openssh "/sbin/sshd")
                         "-f" #$config-file)
                   #:pid-file "/etc/sshd.pid"))
         (stop #~(make-kill-destructor)))))

(define %sshd-accounts
  (list (user-account
         (name "sshd")
         (comment "OpenSSH privilege separation user")
         (home-directory "/var/empty")
         (system? #t)
         (group "nogroup"))))

(define %sshd-keygen
  #~(system* (string-append #$openssh "/bin/ssh-keygen")
             "-t" "ed25519" "-N" "" "-f"
             "/etc/ssh_host_ed25519_key"))

(define openssh-service-type
  (service-type
   (name 'openssh)
   (extensions (list (service-extension shepherd-root-service-type
                                        ssh-shepherd-service)
                     (service-extension account-service-type
                                        (const %sshd-accounts))
                     (service-extension activation-service-type
                                        (const %sshd-keygen))))))